Story Highlights

A large-scale cyberattack at Banner Health that began June 17 compromised the records of up to 3.7 million patients, health-insurance-plan members, food and drink customers, doctors and others at Arizona's largest health-care provider's facilities.

Banner Health discovered unusual activity on its computer servers in late June and uncovered evidence of two attacks, with hackers accessing both patient records and payment-card records of food and beverage customers.

The Phoenix-based health-care provider said Wednesday that it will mail letters to 3.7 million patients, health-insurance customers, cafeteria customers, doctors and other health-care providers notifying them about details of the cyberattack and steps they can take to protect themselves. Banner employees, many of whom are patients and covered by Banner Health insurance plans, also are believed to be victims of the attack.

Latest and largest attack

The Banner Health attack is the latest and largest among 32

known data breaches involving Arizona-based health and medical providers since 2010, according to a list maintained by the U.S. Department of Health and Human Services. Hospitals, health-insurance companies, doctors and even medical-transportation firms have had such breaches affecting 500 or more people.

Most of the data breaches among Arizona health-care providers stemmed from lost or stolen laptops, computer drives or paper documents. But data-security experts say health-care providers increasingly face sophisticated attacks from hackers seeking detailed medical records to resell on the black market.

Banner Health officials said they thus far have not received reports of hackers misusing the information, but the health-care provider will offer a free one-year membership in credit-monitoring services to patients, health-plan members and others affected by the cyberattack.

"Suffice to say, this was a group of extremely sophisticated hackers," said Bill Byron, Banner Health spokesman.

Unusual activity detected

The Phoenix-based health-care system's information-technology staff on June 29 detected unusual activity on the health-care provider's computer servers. With assistance from a cybersecurity firm, Mandiant, Banner Health on July 7 discovered that cyberattackers may have accessed computer systems that process payment-card data at food and beverage outlets at some Banner Health locations.

Banner Health officials said the attackers sought payment-card data, including cardholder name, card number, expiration date and internal verification codes of cards that were used at some Banner Health locations from June 23 through July 7. Customers can view a list of affected locations in Arizona, Alaska, Colorado and Wyoming at bannersupports.com/customers/affected-locations/.

On July 13, Banner Health discovered that hackers also may have accessed patient and health-insurance records, which may have included information about doctors and health-care providers. Those records may have included names, birth dates, addresses, doctors' names, dates of service, claims information, health-insurance information and Social Security numbers.

Banner officials said the health-care provider has now blocked the attackers and is "working to enhance the security of its systems in order to help prevent this from happening in the future."

Investigating scope of attack

Byron said Banner Health is continuing to investigate the scope of the attack. For instance, the health-care system did not immediately know how many months or years worth of patient records may have been compromised.

"We are still in the process of trying to determine what the scope is," Byron said.

Banner Health established a website that details information about the data breach at bannersupports.com. Patients or other customers who have questions or concerns about the cyberattack can call 1-855-223-4412.

Arizona Attorney General Mark Brnovich encouraged consumers to take steps to safeguard their personal information. Those steps include requesting new cards from a bank or credit-card company, reviewing all debit and credit-card transactions, and requesting a free credit report from the three main credit-reporting agencies.

Gregg, the data-security expert, said health-care providers are increasingly facing attacks from criminal organizations. He cited a research report released in May by Michigan-based Ponemon Institute that showed nearly 90 percent of health-care organization have reported at least one data breach over the past two years.

One reason for the increase: Sophisticated criminal enterprises are specifically targeting health-care providers and reselling the information for profit, Gregg said.

He said a record containing a name, address and Social Security number may sell for $1 to $3 on the black market. But he said detailed medical records with unique patient identifying numbers can fetch up to $100 per record.